ICMPv6 Challenge – Hints

December 9th, 2009 by Chris Leave a reply »

OK, here’s a hint to point you in the right direction.

The challenge was: “Write a tcpdump/windump filter that will capture ICMPv6 Multicast Listener packets.”

Sounds easy, right?

With a little help from Google you’ll find that the “type” for Multicast listener is 130, and the ICMPv6 type field is the first byte in the header. So this should be as easy as:

tcpdump -nn -p -v -s 0 icmp6[0]=130

however if you run the command you’ll get back:

tcpdump: IPv6 upper-layer protocol is not supported by proto[x]

In other words, you can use “icmp6″ to see all ICMPv6 packets, but you can’t use it to filter on any of the ICMPv6 header fields.

So we need a “Plan B”. Figure out plan B and you’ve solved the challenge. :)

Related posts:

  1. ICMPv6 Challenge
  2. ICMPv6 Challenge – Answers
  3. Tshark Challenge – Hints 3
  4. Weekend Challenge
  5. Tshark Challenge – Hints 4

Posted in 3-err, Packet Decoding

Tags:

You can follow any responses to this entry through the RSS 2.0 Feed. You can leave a response , or trackback from your own site.

Advertisement

4 comments

Add your comment
  1. Steinar H. Gunderson says:
    December 9, 2009 at 2:38 pm

    The pragmatic solution is, of course,

    tcpdump -l -i any icmp6 | grep -E ‘\b160\b’

    or similar.

    The pcap-based solution depends on whether you want to support IPv6 extension headers or not. If not, you can simply use an offset from the IP header; if you want to support it, it starts getting more evil (look at tcpdump -d ip6 protochain 58 for a BPF example of chasing these headers!), but then again, icmp6 doesn’t really seem to support that either. Is there a solution that doesn’t involve writing your own BPF, and supports chasing the protocol chains?

    /* Steinar */

    Reply
  2. Chris says:
    December 10, 2009 at 11:26 am

    Agreed grep is the easiest implementation. Just makes it more difficult to save pcap files.

    To quote RFC 2710: “All MLD messages described in this document are sent with a link-local IPv6 Source Address, an IPv6 Hop Limit of 1, and an IPv6 Router Alert option [RTR-ALERT] in a Hop-by-Hop Options header.”
    So you do have an extension header to deal with. As for having to chase the headers, so far I’ve only seen multicast listener packets with the hop-by-hop header. Although I don’t see anything in 2710 forbidding the use of additional headers.

    Reply
    • Steinar H. Gunderson says:
      December 10, 2009 at 7:23 pm

      One could imagine IPsec options, but it sounds a bit obscure for MLD…

      I guess if you assume that there’s only the RTR-alert option, it’s of fixed length and you could just use the offset. I have no idea if you can actually do iteration or indirection in textual pcap filters. :-)

      /* Steinar */

      Reply
  3. Slezicz says:
    May 7, 2010 at 3:11 pm

    Hi, this function is not supported for upper layers.
    So if you like to filter icmp6 packtes by is type and you know that IPv6 header is 20 bytes you could simply do ip6[21] & 130 !=0. Means first byte after IPv6 header, and there should be ICMPv6 header ;-) I’m not sure is this will work if next header will be included.

    Reply

Leave a Reply